pierrecdn
commented
4 years ago Hi,
While I agree that doing a tight coupling between SSL enabled and the API capabilities is, at least in my opinion, not a good idea (because it means you can't build N tiers-solutions on your own), if I refer to https://github.com/phpipam/phpipam/blob/1.4/api/index.php#L68, I understand you can still use the "crypt" method when calling the API.
So I would recommend to use this method, discuss on phpipam/phpipam to understand the subtleties if any, and then eventually I can allow overriding this parameter through yet another env variable.
Or you can provide your own config.php, it also works. Let me know.
EDIT: also if you enable SSL on a reverse proxy, or even just add the correct headers after rewrite, it will bypass these checks, since https://github.com/phpipam/phpipam/commit/1e0ba42b33474b90ae2eaed115c7a18a0bad84ba which IMO, confirm my point of this coupling being useless.
hello,
I know it's not ideal as security is really important but do you think is it possible to setup to add an environment variable to run the API without SSL, I'm getting this message whilst trying to enable API access:
API server requires SSL. Please set $api_allow_unsafe in config.php to overridethanks and congrat for the contribution.